Subject: misc/574: syslog.conf has insecure configuration
To: None <>
From: Luke Mewburn <>
List: netbsd-bugs
Date: 11/14/1994 15:50:05
>Number:         574
>Category:       misc
>Synopsis:       syslog sends authpriv stuff to insecure places
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (Misc Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   lm
>Arrival-Date:   Mon Nov 14 15:50:04 1994
>Originator:     Luke Mewburn
>Release:        1.0
System: NetBSD dodo 1.0_BETA NetBSD 1.0_BETA (DODO) #0: Wed Oct 26 13:36:30 EST 1994 simonb@dodo:/slab/0/src/sys/arch/i386/compile/DODO i386

According to the syslog man page:
	LOG_AUTHPRIV	The same as LOG_AUTH, but logged to a file
			readable only by selected individuals.

But, the current syslog.conf file sends *.info to /var/log/messages.
So, login failure messages such as:
	Nov 15 10:37:50 dodo login: 3 LOGIN FAILURES FROM localhost
	Nov 15 10:37:50 dodo login: 3 LOGIN FAILURES FROM localhost, foo
get scattered through /var/log/messages. The second line should NOT be
appearing there, as the `foo' bit could be a password typed out of sync...

Get a login prompt on a machine, and generate a few incorrect logins
and watch messages on the console and /var/log/messages appear...

- apply the following patch to /usr/src/etc/syslog.conf.
- ensure that /var/log/secure exists and has 600 root.wheel
- maybe modify /usr/src/etc/newsyslog.conf to rotate the
  secure logs...

Notice how I've removed *.notice since *.info already
grabs that. Infact, mail.crit could have been removed
from the /var/log/messages line since *.notice will get
that as well.

The important modification is the authpriv.none entry
which stops wildcard matches on any authpriv stuff.
I've put authpriv to /var/log/secure (which the 4.4BSD
mdist security stuff checks anyway) If you don't want
these messages appearing on the console either, make
an appropriate change.

*** /etc/syslog.conf	Wed Oct 19 12:01:10 1994
--- syslog.conf	Tue Nov 15 10:45:23 1994
*** 1,6 ****
  *.err;kern.debug;auth.notice;mail.crit		/dev/console
! *.notice;kern.debug;lpr,;mail.crit	/var/log/messages
! *.info						/var/log/messages					/var/log/maillog					/var/log/lpd-errs					/var/cron/log
--- 1,6 ----
  *.err;kern.debug;auth.notice;mail.crit		/dev/console
! *.info;kern.debug;mail.crit;authpriv.none	/var/log/messages
!					/var/log/secure					/var/log/maillog					/var/log/lpd-errs					/var/cron/log